IDA 7.1 debugging module: Porting from IDA 4.9-7.0 API to IDA 7.1 API

Introduction

The most important change is the use of the notification codes instead of callbacks.

We added the new hook type HT_IDD and replaced all callback pointers by notifications.

The debugger module in the debugger_t structure should provide only two callbacks now:

set_dbg_options - with the same meaning as was before

callback - this callback will be hooked to the HT_IDD notification point
when the debugger is loaded and unhooked during
the debugger unloading.
The debugger plugin will be the last one
to receive notifications.

Notifications

In most cases the name of a notification event corresponds to the old callback name prefixed with "ev_".
However, please note that we renamed some events, for example:

stopped_at_debug_event to ev_suspended.

Many notification callbacks now have an additional argument - errbuf, which is used to report the detailed error message.

original callback

notification code

init_debugger

ev_init_debugger

term_debugger

ev_term_debugger

get_processes

ev_get_processes

start_process

ev_start_process

attach_process

ev_attach_process

detach_process

ev_detach_process

get_debapp_attrs

ev_get_debapp_attrs

rebase_if_required_to

ev_rebase_if_required_to

prepare_to_pause_process

ev_request_pause

exit_process

ev_exit_process

get_debug_event

ev_get_debug_event

continue_after_event

ev_resume

set_exception_info

ev_set_exception_info

stopped_at_debug_event

ev_suspended

thread_suspend

ev_thread_suspend

thread_continue

ev_thread_continue

set_resume_mode

ev_set_resume_mode

read_registers

ev_read_registers

write_register

ev_write_register

thread_get_sreg_base

ev_thread_get_sreg_base

get_memory_info

ev_get_memory_info

read_memory

ev_read_memory

write_memory

ev_write_memory

is_ok_bpt

ev_check_bpt

update_bpts

ev_update_bpts

update_lowcnds

ev_update_lowcnds

open_file

ev_open_file

close_file

ev_close_file

read_file

ev_read_file

write_file

ev_write_file

map_address

ev_map_address

get_debmod_extensions

ev_get_debmod_extensions

update_call_stack

ev_update_call_stack

appcall

ev_appcall

cleanup_appcall

ev_cleanup_appcall

eval_lowcnd

ev_eval_lowcnd

send_ioctl

ev_send_ioctl

dbg_enable_trace

ev_dbg_enable_trace

is_tracing_enabled

ev_is_tracing_enabled

rexec

ev_rexec

get_srcinfo_path

ev_get_srcinfo_path

New notification code:

ev_bin_search

IDA needs to know if the debugger module will react to specific notification codes.
To describe this, the following flags have been added:

DBG_HAS_GET_PROCESSES

DBG_HAS_ATTACH_PROCESS

DBG_HAS_DETACH_PROCESS

DBG_HAS_REQUEST_PAUSE

DBG_HAS_SET_EXCEPTION_INFO

DBG_HAS_THREAD_SUSPEND

DBG_HAS_THREAD_CONTINUE

DBG_HAS_SET_RESUME_MODE

DBG_HAS_THREAD_GET_SREG_BASE

DBG_HAS_CHECK_BPT

DBG_HAS_OPEN_FILE

DBG_HAS_UPDATE_CALL_STACK

DBG_HAS_APPCALL

DBG_HAS_REXEC

Please see idd.hpp for more details.

Structures

There are several changes in the structures used by the debugger module.

debugger_t

Renamed fields and methods:

original name

new name

register_classes

regclasses

register_classes_default

default_regclasses

_registers

registers

registers_size

nregs

register

regs()

event_id_t

Renamed events:

original name

new name

PROCESS_START

PROCESS_STARTED

PROCESS_EXIT

PROCESS_EXITED

THREAD_START

THREAD_STARTED

THREAD_EXIT

THREAD_EXITED

LIBRARY_LOAD

LIB_LOADED

LIBRARY_UNLOAD

LIB_UNLOADED

PROCESS_ATTACH

PROCESS_ATTACHED

PROCESS_DETACH

PROCESS_DETACHED

PROCESS_SUSPEND

PROCESS_SUSPENDED

Removed events:

SYSCALL

WINMESSAGE

Please note that the event codes have been changed.

debug_event_t

Changed to be more robust and controlled.

Public fields have been replaced by accessors.

original field

new accessor

eid

eid(), set_eid()

modinfo

modinfo(), set_modinfo()

exit_code

exit_code(), set_exit_code()

info

info(), set_info()

bpt

bpt(), set_bpt()

exc

exc(), set_exc()

Please note that the event THREAD_STARTED
can return the thread name using the info accessor.

bpt_t

Added new fields:

pid - breakpoint process id

tid - breakpoint thread id

Example

Plugin highlighter have been ported to use the new debugger module API.